{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-53207","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-06-09T07:44:35.391Z","datePublished":"2026-06-25T08:39:13.592Z","dateUpdated":"2026-06-25T08:39:13.592Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-06-25T08:39:13.592Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nmm/memory-failure: fix hugetlb_lock AA deadlock in get_huge_page_for_hwpoison\n\nTwo concurrent madvise(MADV_HWPOISON) calls on the same hugetlb page can\ntrigger a recursive spinlock self-deadlock (AA deadlock) on hugetlb_lock\nwhen racing with a concurrent unmap:\n\n  thread#0                              thread#1\n  --------                              --------\n  madvise(folio, MADV_HWPOISON)\n    -> poisons the folio successfully\n  madvise(folio, MADV_HWPOISON)         unmap(folio)\n    try_memory_failure_hugetlb\n      get_huge_page_for_hwpoison\n        spin_lock_irq(&hugetlb_lock)    <- held\n        __get_huge_page_for_hwpoison\n          hugetlb_update_hwpoison()\n            -> MF_HUGETLB_FOLIO_PRE_POISONED\n          goto out:\n            folio_put()\n              refcount: 1 -> 0\n              free_huge_folio()\n                spin_lock_irqsave(&hugetlb_lock)\n                  -> AA DEADLOCK!\n\nThe out: path in __get_huge_page_for_hwpoison() calls folio_put() to drop\nthe GUP reference while the hugetlb_lock is still held by the hugetlb.c\nwrapper get_huge_page_for_hwpoison().  If concurrent unmap has released\nthe page table mapping reference, folio_put() drops the folio refcount to\nzero, triggering free_huge_folio() which attempts to re-acquire the\nnon-recursive hugetlb_lock.\n\nFix this by moving hugetlb_lock acquisition from the hugetlb.c wrapper\ninto get_huge_page_for_hwpoison().  Place spin_unlock_irq() before the\nfolio_put() at the out: label so the folio is always released outside the\nlock.\n\n[akpm@linux-foundation.org: fix race, rename label per Miaohe]"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["include/linux/hugetlb.h","include/linux/mm.h","mm/hugetlb.c","mm/memory-failure.c"],"versions":[{"version":"405ce051236cc65b30bbfe490b28ce60ae6aed85","lessThan":"fc3ff42cb0cbf947e4600ae9761c3783760050e2","status":"affected","versionType":"git"},{"version":"405ce051236cc65b30bbfe490b28ce60ae6aed85","lessThan":"77b73b54801ae7137479c141fd0473a491c1dc48","status":"affected","versionType":"git"},{"version":"405ce051236cc65b30bbfe490b28ce60ae6aed85","lessThan":"a33bfed648c10f5a1519981dbfad80841191edc8","status":"affected","versionType":"git"},{"version":"405ce051236cc65b30bbfe490b28ce60ae6aed85","lessThan":"dd77a83915b07e2b0205adb284f08b39ae31dc4b","status":"affected","versionType":"git"},{"version":"405ce051236cc65b30bbfe490b28ce60ae6aed85","lessThan":"bf7ba8f96c258c30393814491930ae4ecdc5fe5e","status":"affected","versionType":"git"},{"version":"405ce051236cc65b30bbfe490b28ce60ae6aed85","lessThan":"3c2d42b8ee345b17a4ba56b0f6492d1ff4c1178e","status":"affected","versionType":"git"},{"version":"62d1655b922958826b7ec22682c3141746f75064","status":"affected","versionType":"git"},{"version":"5.15.54","lessThan":"5.16","status":"affected","versionType":"semver"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["include/linux/hugetlb.h","include/linux/mm.h","mm/hugetlb.c","mm/memory-failure.c"],"versions":[{"version":"5.18","status":"affected"},{"version":"0","lessThan":"5.18","status":"unaffected","versionType":"semver"},{"version":"6.1.176","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.143","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.94","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.36","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"7.0.13","lessThanOrEqual":"7.0.*","status":"unaffected","versionType":"semver"},{"version":"7.1","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.18","versionEndExcluding":"6.1.176"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.18","versionEndExcluding":"6.6.143"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.18","versionEndExcluding":"6.12.94"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.18","versionEndExcluding":"6.18.36"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.18","versionEndExcluding":"7.0.13"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.18","versionEndExcluding":"7.1"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15.54"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/fc3ff42cb0cbf947e4600ae9761c3783760050e2"},{"url":"https://git.kernel.org/stable/c/77b73b54801ae7137479c141fd0473a491c1dc48"},{"url":"https://git.kernel.org/stable/c/a33bfed648c10f5a1519981dbfad80841191edc8"},{"url":"https://git.kernel.org/stable/c/dd77a83915b07e2b0205adb284f08b39ae31dc4b"},{"url":"https://git.kernel.org/stable/c/bf7ba8f96c258c30393814491930ae4ecdc5fe5e"},{"url":"https://git.kernel.org/stable/c/3c2d42b8ee345b17a4ba56b0f6492d1ff4c1178e"}],"title":"mm/memory-failure: fix hugetlb_lock AA deadlock in get_huge_page_for_hwpoison","x_generator":{"engine":"bippy-1.2.0"}}}}